Package: clamav Version: 0.63.0-2 Severity: normal Tags: security The pid files for clamav and freshclam are writable by user clamav. It that user is compromised, it can replace the pid file contents with an arbitrary pid, such as 1. Then both init scripts will proceed to the process.
start-stop-daemon avoids this kind of security flaw by checking /proc/pid/exe (when run with -exec), or at least the process name (when run with -name). Neither init script uses it. The lsb init script pidofproc does not do those checks on Debian at least. Besides the potential security hole, killing a process that is stored in a pid file without checking that the pid file is accurate is asking for trouble. Things go wrong, and pid files, stale. -- see shy jo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
